[wp-meta] [Making WordPress.org] #5937: Extend the possibility for leaving a plugin or theme review
Making WordPress.org
noreply at wordpress.org
Tue Oct 26 10:58:04 UTC 2021
#5937: Extend the possibility for leaving a plugin or theme review
-------------------------+--------------------
Reporter: Clorith | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: General | Keywords:
-------------------------+--------------------
**Disclaimer: This is for sharing an extended idea, and is not an absolute
solution, or implementation guide.**
Now that we've got the formalities out of the way, currently to write a
review for a plugin or theme on WordPress.org, you need to create an
account, this is fine, but since WordPress.org does not have SSO (Single
Sign On), it means users need ''yet'' another account, this is a barrier
for many.
With the addition of Application Passwords, we could investigate other
avenues to help plugin and them e authors encourage reviewing their
solutions, there are pros and cons to this of course, which I'll get back
to shortly.
If an anonymous user goes to write a review, ask them for their WordPress
website URL as well. When the review is submitted, it would then be
possible to validate their site, _and_ that they have the plugin or theme
installed before leaving a review. After the validation is done, the token
should be removed from WordPress.org, as there's no scenario where we
would want to sit on the potential access to who knows how many sites.
One drawback is that anyone leaving a negative review is unlikely to have
the plugin or theme still installed, I think the contrast could be drawn
that they'd then not have a problem making an account to share their
disapproval in the first place.
Alternatively, the app password request could be used to authenticate
against a website, grab their account e-mail, and use it as an avenue to
create (and approve) their account with WordPress.org in as smooth a
transition as possible.
Regardless of approaches, it would need to pass through abuse detection of
some form, like anything else, what options do we have to prevent abuse
here? Anyone can spin up a WordPress site fairly easily these days, what
potential abuse do we envision, and how do we work against each of these?
This could be used to signup under temporary emails we would normally
filter out.
Any normal signup flow precautions should be applied like before
Someone could spam reviews for plugins or themes via single use sites.
Should we detect high activity on plugin or theme reviews/forums in the
first place to trigger a "slow down" or similar for ensuring nobody is
being targeted? (probably a different ticket, but a potential fix)
Those were two quick thoughts to get the discussion rolling.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/5937>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list